Re: 9800L WLC and 9166i AP DTLS errors

billydailey · ‎05-14-2023

Hi there,

Setup up a simple network to test with the WLC, a switch, and an AP based on a youtube lab video.

all worked great. I set up policies, etc.

I factory reset the WLC to move the controller into a larger solution with IPv6. Connectivity is established, however the AP will not join. It does show up as an AP in the controller but will not join and shows a DTLS close error and another DTLS error that i do not recall. I also factory reset the AP holding the button for about 40 seconds as shown while consoled into the AP. Everything points to a certificate issue. I thought i read something about clearing private config in the AP, but would think a factory reset would address that.

Also, since the management vlan is trunked to the switch, should the AP ports be trunks or switch ports and do i have to address the native vlan?

Thanks in advance.

marce1000 · ‎05-14-2023

0) >...and shows a DTLS close error and another DTLS error that i do not recall.
Please try to provide that information , consider that essential
>...Everything points to a certificate issue
How is this assertion made (same remark as above) (?)

- 1) What is the controller software version , you need at least 17.9.2 ; have a go with 17.9.3 for instance which now also supports the older Wave1 APs again
2) Have a checkup of the controller configuration with the CLI command show tech wireless ; have the output analyzed with https://cway.cisco.com/wireless-config-analyzer
3) Use these tools for analyzing AP join issues : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin
4) Post the complete AP boot process

Appendix : a number of other commands related to analyzing DTLS (AP joining problems)
show wireless stats ap join summary
show wireless dtls connections
show platform hardware chassis active qfp feature wireless capwap datapath statistics drop all
show platform hardware chassis active qfp feature wireless capwap datapath mac-address <APradio-mac> details
show platform hardware chassis active qfp feature wireless capwap datapath mac-address <APradio-mac> statistics
show platform hardware chassis active qfp feature wireless dtls datapath statistics all
show platform hardware chassis active qfp statistics drop all | inc Global | Wls (Data Plane Statistics – Global Wireless Drops)
show tunnel eogre manager stats instance 0
show ap name APa80c.0dd2.1fa8 tag detail
show capwap client config
show capwap detailed
show capwap summary

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎05-15-2023

Further to what Marce already advised - in general:
- AP management VLAN needs to be the native VLAN if the switch port is a trunk port (generally for flexconnect mode). If using the AP in local mode then switch port can be an access port in the AP management VLAN. Either way AP management traffic is untagged.
- AP needs a way to discover the WLC - whether by broadcast on local subnet, DNS or DHCP option 43 (generally the most popular option)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

billydailey · ‎05-16-2023

Thank you. So i checked the clock and it was off. Set it correctly and all 3 aps joined. I went through the WLAN setup and all was well. I decided to delete the WLAN and set it up differently. 2 of the APs joined, the other is again getting the DTLS handshake expired message. When i console into the AP, i see the same messages and a no valid user found, please configure a valid user from Controller. Do as I never set anything up. This is the 9136 that is giving me a fit. the other 2 are 9166 and 18521. Those 2 join immediately. Is there a way to change the DTLS timer? Its expiring after 60 seconds.

marce1000 · ‎05-16-2023

- Better post the complete boot process from the problematic AP as it appears on the console ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

billydailey · ‎05-16-2023

so after 3 hours of DTLS starts and closes, it finally joined.....im almost afraid to reboot to see what it does.....but ill give it a go.

marce1000 · ‎05-16-2023

>....so after 3 hours of DTLS starts and closes, it finally joined.
- That's not the idea for use in a business environment , which effectively 'can't work' ; but your outputs remain too misty , give us something to work with , such as an example boot process from the problematic AP , as asked earlier ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

billydailey · ‎05-16-2023

ok, here is the bootup log, but as i said earlier, this time it joined pretty quickly. The problem seems to be when i delete a WLAN from the controller. Should the APs be disassociated somehow before deleting a wireless lan?

Also, the WLC is running 17.9.3

marce1000 · ‎05-16-2023

>...Should the APs be disassociated somehow before deleting a wireless lan?
No , that is not related but run this procedure too :
2) Have a checkup of the controller configuration with the CLI command show tech wireless ; have the output analyzed with https://cway.cisco.com/wireless-config-analyzer
(from my initial post -> strongly recommended!)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

billydailey · ‎05-16-2023

yep, just did that....some yellows, only one red.

So if i want to send an AP to another lab to use. Should i do anything to it before disconnecting it? So they dont have a similar issue? Deleting the private config or something?

billydailey · ‎05-22-2023

Good Morning, any updates to this thread? So what i have so far is:

9166 and 1852 APs will join the controller, even after a factory reset pretty quickly.

The 9136 takes a very long time, it seems like the 60second DTLS timer expires before the controller and AP are finished setting up. Any ideas? However, when the controller is just disconnected, it joins the same controller pretty quickly.

Rich R · ‎05-22-2023

What do you mean by "However, when the controller is just disconnected, it joins the same controller pretty quickly."?

So looking back at that AP log you shared: I hadn't noticed before that you're using IPv6 which I don't think many of us are, so you might see problems that others don't. What I notice in the logs:
[*05/16/2023 04:21:12.5866] No IPv4 AP Mgr in IPv4 pref mode. Try IPv6 mode...
[*05/16/2023 12:20:07.1995] Joined on non-prefered transport. Retry with prefer-mode IPv4
Have you tried setting

preferred-mode ipv6

As per https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_ewlc_ipv6_on_flex_mesh.html ?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

billydailey · ‎05-31-2023

I meant when i disconnected an AP, and reconnect it, the AP joins the controller pretty quickly. Yes, we are using IPv6. I was looking for the mode in the GUI to prefer IPv6. Is that command in the contoller?

Also, in the controller, it says the software doesnt support the 6Ghz radios in the 9166 and 9136. What version supports those APs 100%?

When i connect a PC to an SSID, it connects and pulls an IPv6 IP. In the controller gui, the client status shows Run. When i connect a cell phone to the AP, it never pulls an IP, and the client status shows IP learn. Any ideas what that is about. A coworker said if there is no internet connection to the network, cell phones will just drop and never connect. At this time in the lab, we do not have an internet connection to this network.

Rich R · ‎06-01-2023

Yes it's in the WLC config in the AP profile - I even provided the link to the config guide ...

6E radios depends on software version and country - they're not supported everywhere yet.

My answer here has a few links you can check:
https://community.cisco.com/t5/wireless/wifi-6e-operation-status-down/m-p/4843560/highlight/true#M256372

> A coworker said if there is no internet connection to the network, cell phones will just drop and never connect.
That is entirely dependent on device behaviour. iOS usually offers the choice of Use without internet or Use another network (meaning disconnect)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390